12

Is it possible for a remote machine to access another machine's localhost data by spoofing the loopback ip?

Say if I wanted a setup where if I'm connecting from somewhere outside my own network, I will have to supply login credentials and my password will be required for all sensitive operations. However, if I am connecting from my computer, these credentials aren't needed because I have to login to my OS to access the network on that device anyway. Can I rely on the loopback address as a security measure in this way? Or is it possible for an attacker to make it appear as though they are connecting locally?

bee.catt
  • 225
  • 1
  • 2
  • 7
  • I do not believe so. – SpacemanSpiff Jul 26 '12 at 23:50
  • 1
    Do you mean get the machine to receive a spoofed packet that appears to have come *from* 127.0.0.1? Or do you mean get the machine to receive a spoofed packet that is addressed *to* 127.0.0.1? – David Schwartz Jul 27 '12 at 00:53
  • I mean, basically, can someone break into my localhost data and do {whatever} with it by pretending to be localhost. – bee.catt Jul 27 '12 at 02:14
  • It's not clear what "break into my localhost data" means. Does that mean make your machine receive a packet that appears to come from 127.0.0.1? – David Schwartz Jul 29 '12 at 11:26

4 Answers4

13

No.

It is possible to send data as fake 127.0.0.1, but the reply will go "out" (stay inside actually) the loopback interface, and be 'lost'.

If there is a router on the way, it will send the packet through it's own loopback interface, and it will be lost there.

mulaz
  • 10,472
  • 1
  • 30
  • 37
  • ok, so if I am understanding all this correctly, an attacker could potentially send something IN, but they wouldn't be able to get anything back OUT, because the nature of the loopback is that it only talks to itself. If this is correct, then could an attacker send in malicious code that makes it possible to connect remotely, or even just some code that generally breaks things? – bee.catt Jul 27 '12 at 00:06
  • you have a routing table in your pc, which says which packets go out where. (route -n on *nix). You have an entry there for 127.0.0.0/8 to go out through the loopback interface (does not actually go out, since it's a loopback). So, if the attacker from your lan sends a packet to your pc, your PC can accept it, but the return packet will be lost, since it will stay inside your pc (sent 'out' from the loopback) – mulaz Jul 27 '12 at 00:17
  • 1
    An interesting idea. However the loopback interface has no MAC address. So you would have to have the target computers (technical target NIC) MAC in combination with an IP which does not belong to that MAC and hope that the receiving network stack accepts it. And then the package needs to be accepted by something expecting data and probably also listening on the real IP. Still, a nice thought. – Hennes Jul 27 '12 at 00:23
  • You can use the mac from the ethernet card (when you send a packet to, lets say googles 8.8.8.8, you send it to your routers MAC with 8.8.8.8 as dst. IP. The machine needs to have ip forwarding enabled ofcourse. – mulaz Jul 27 '12 at 00:29
  • what about attacks at control plane? With a crafted source address as 127.0.0.1 it is possible to bypass some ACLs? – sdaffa23fdsf Oct 10 '14 at 06:23
11

Yes. Surprisingly, it is possible to spoof a loopback source address. Obviously you won't get any replies, so your spoofed packet also needs to include an exploit. Also it will be stopped at a router, so you need to be on the same local network as the victim. The remote hole CVE-2014-9295 was exploitable in this way.

It turns out OS X and the Linux Kernel behave similarly in this case. Any IP packet arriving on an external interface and with the source IP 127.0.0.1 will be dropped immediately. But if we use IPv6 instead we can actually spoof ::1 and send control mode packets to the daemon (some Linux distributions have firewall rules in place that protect against this, e.g. Red Hat). Thus, if we are on the same local network, we can send spoofed packets to the link-local address of the target and bypass the IP restrictions.

http://googleprojectzero.blogspot.de/2015/01/finding-and-exploiting-ntpd.html

sourcejedi
  • 1,050
  • 10
  • 19
3

Loopback data usually never makes it to the network. It is intercepted and, well, looped back, before that happens. Since it never hits the actual network nothing on the network can intercept it.

Hennes
  • 4,772
  • 1
  • 18
  • 29
  • With custom driver software and collaborating NIC hardware, it's surely possible to send ethernet frames carrying IP packages that have localhost address. It's up to the receiving end not to interpret those as true localhost packages. Not all OS do this correctly. – Mikko Rantalainen Dec 15 '20 at 12:26
1

No. The loopback is hardcoded in /etc/hosts - this is the first place the resolver will look for loopback to ip translation. Unless you are able to edit the /etc/hosts you cannot do it.

If you can edit /etc/hosts then you are an administrator so you can do anything ..

mnmnc
  • 203
  • 1
  • 8